On Wed, 2022-11-02 at 22:23 +0100, Armin Wolf wrote:
> When the DDV interface returns a buffer, it actually
> returns a acpi buffer containing an integer (buffer size)
> and another acpi buffer (buffer content).
> The size of the buffer may be smaller than the size of
> the buffer content, which is perfectly valid and should not
> be treated as an error.
Is there documentation for this that you can refer to?
> Also use the buffer size instead of the buffer content size
> when accessing the buffer to prevent accessing bogus data.
>
> Tested on a Dell Inspiron 3505.
>
> Signed-off-by: Armin Wolf <W_Armin@xxxxxx>
> ---
> drivers/platform/x86/dell/dell-wmi-ddv.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c
> b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 699feae3c435..1a001296e8c6 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c
> @@ -129,9 +129,9 @@ static int dell_wmi_ddv_query_buffer(struct wmi_device
> *wdev, enum dell_ddv_meth
> if (obj->package.elements[1].type != ACPI_TYPE_BUFFER)
> goto err_free;
>
> - if (buffer_size != obj->package.elements[1].buffer.length) {
> + if (buffer_size > obj->package.elements[1].buffer.length) {
> dev_warn(&wdev->dev,
> - FW_WARN "ACPI buffer size (%llu) does not match WMI
> buffer size (%d)\n",
> + FW_WARN "WMI buffer size (%llu) exceeds ACPI buffer
> size (%d)\n",
> buffer_size, obj->package.elements[1].buffer.length);
>
> goto err_free;
> @@ -271,15 +271,17 @@ static int dell_wmi_ddv_buffer_read(struct seq_file
> *seq, enum dell_ddv_method m
> struct device *dev = seq->private;
> struct dell_wmi_ddv_data *data = dev_get_drvdata(dev);
> union acpi_object *obj;
> - union acpi_object buf;
> + u64 size;
> + u8 *buf;
> int ret;
>
> ret = dell_wmi_ddv_query_buffer(data->wdev, method, 0, &obj);
> if (ret < 0)
> return ret;
>
> - buf = obj->package.elements[1];
> - ret = seq_write(seq, buf.buffer.pointer, buf.buffer.length);
> + size = obj->package.elements[0].integer.value;
> + buf = obj->package.elements[1].buffer.pointer;
> + ret = seq_write(seq, buf, size);
Okay, so the buffer may provide more space than what should actually be used
according to the size field. This looks like a bug that should have a fixes tag
on the original commit.
David
> kfree(obj);
>
> return ret;
> --
> 2.30.2
>
